Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

Pull module signing support from Rusty Russell: "module signing is the highlight, but it's an all-over David Howells frenzy..." Hmm "Magrathea: Glacier signing key". Somebody has been reading too much HHGTTG. * 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (37 commits) X.509: Fix indefinite length element skip error handling X.509: Convert some printk calls to pr_devel asymmetric keys: fix printk format warning MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking MODSIGN: Make mrproper should remove generated files. MODSIGN: Use utf8 strings in signer's name in autogenerated X.509 certs MODSIGN: Use the same digest for the autogen key sig as for the module sig MODSIGN: Sign modules during the build process MODSIGN: Provide a script for generating a key ID from an X.509 cert MODSIGN: Implement module signature checking MODSIGN: Provide module signing public keys to the kernel MODSIGN: Automatically generate module signing keys if missing MODSIGN: Provide Kconfig options MODSIGN: Provide gitignore and make clean rules for extra files MODSIGN: Add FIPS policy module: signature checking hook X.509: Add a crypto key parser for binary (DER) X.509 certificates MPILIB: Provide a function to read raw data into an MPI X.509: Add an ASN.1 decoder X.509: Add simple ASN.1 grammar compiler ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-14 16:39:34 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-14 16:39:34 -0400
commit: d25282d1c9b9bc4cda7f9d3c0205108e99aa7a9d (patch)
tree: f414482d768b015a609924293b779b4ad0b8f764 /kernel/Makefile
parent: b6eea87fc6850d3531a64a27d2323a4498cd4e43 (diff)
parent: dbadc17683e6c673a69b236c0f041b931cc55c42 (diff)
1 files changed, 77 insertions, 0 deletions
diff --git a/kernel/Makefile b/kernel/Makefile
index 5404911eaee9..0dfeca4324ee 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -54,6 +54,7 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
 obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
 obj-$(CONFIG_UID16) += uid16.o
 obj-$(CONFIG_MODULES) += module.o
+obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
 obj-$(CONFIG_KEXEC) += kexec.o
@@ -130,3 +131,79 @@ quiet_cmd_timeconst  = TIMEC   $@
 targets += timeconst.h
 $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
        $(call if_changed,timeconst)
+ifeq ($(CONFIG_MODULE_SIG),y)
+#
+# Pull the signing certificate and any extra certificates into the kernel
+#
+extra_certificates:
+        touch $@
+kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
+###############################################################################
+#
+# If module signing is requested, say by allyesconfig, but a key has not been
+# supplied, then one will need to be generated to make sure the build does not
+# fail and that the kernel may be used afterwards.
+#
+###############################################################################
+sign_key_with_hash :=
+ifeq ($(CONFIG_MODULE_SIG_SHA1),y)
+sign_key_with_hash := -sha1
+endif
+ifeq ($(CONFIG_MODULE_SIG_SHA224),y)
+sign_key_with_hash := -sha224
+endif
+ifeq ($(CONFIG_MODULE_SIG_SHA256),y)
+sign_key_with_hash := -sha256
+endif
+ifeq ($(CONFIG_MODULE_SIG_SHA384),y)
+sign_key_with_hash := -sha384
+endif
+ifeq ($(CONFIG_MODULE_SIG_SHA512),y)
+sign_key_with_hash := -sha512
+endif
+ifeq ($(sign_key_with_hash),)
+$(error Could not determine digest type to use from kernel config)
+endif
+signing_key.priv signing_key.x509: x509.genkey
+        @echo "###"
+        @echo "### Now generating an X.509 key pair to be used for signing modules."
+        @echo "###"
+        @echo "### If this takes a long time, you might wish to run rngd in the"
+        @echo "### background to keep the supply of entropy topped up.  It"
+        @echo "### needs to be run as root, and should use a hardware random"
+        @echo "### number generator if one is available, eg:"
+        @echo "###"
+        @echo "###     rngd -r /dev/hwrandom"
+        @echo "###"
+        openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
+                -x509 -config x509.genkey \
+                -outform DER -out signing_key.x509 \
+                -keyout signing_key.priv
+        @echo "###"
+        @echo "### Key pair generated."
+        @echo "###"
+x509.genkey:
+        @echo Generating X.509 key generation config
+        @echo  >x509.genkey "[ req ]"
+        @echo >>x509.genkey "default_bits = 4096"
+        @echo >>x509.genkey "distinguished_name = req_distinguished_name"
+        @echo >>x509.genkey "prompt = no"
+        @echo >>x509.genkey "string_mask = utf8only"
+        @echo >>x509.genkey "x509_extensions = myexts"
+        @echo >>x509.genkey
+        @echo >>x509.genkey "[ req_distinguished_name ]"
+        @echo >>x509.genkey "O = Magrathea"
+        @echo >>x509.genkey "CN = Glacier signing key"
+        @echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2"
+        @echo >>x509.genkey
+        @echo >>x509.genkey "[ myexts ]"
+        @echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
+        @echo >>x509.genkey "keyUsage=digitalSignature"
+        @echo >>x509.genkey "subjectKeyIdentifier=hash"
+        @echo >>x509.genkey "authorityKeyIdentifier=keyid"
+endif
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-14 16:39:34 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-14 16:39:34 -0400
commit	d25282d1c9b9bc4cda7f9d3c0205108e99aa7a9d (patch)
tree	f414482d768b015a609924293b779b4ad0b8f764 /kernel/Makefile
parent	b6eea87fc6850d3531a64a27d2323a4498cd4e43 (diff)
parent	dbadc17683e6c673a69b236c0f041b931cc55c42 (diff)

diff --git a/kernel/Makefile b/kernel/Makefile index 5404911eaee9..0dfeca4324ee 100644 --- a/kernel/Makefile +++ b/kernel/Makefile
@@ -54,6 +54,7 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
54	obj-$(CONFIG_PROVE_LOCKING) += spinlock.o	54	obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
55	obj-$(CONFIG_UID16) += uid16.o	55	obj-$(CONFIG_UID16) += uid16.o
56	obj-$(CONFIG_MODULES) += module.o	56	obj-$(CONFIG_MODULES) += module.o
		57	obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o
57	obj-$(CONFIG_KALLSYMS) += kallsyms.o	58	obj-$(CONFIG_KALLSYMS) += kallsyms.o
58	obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o	59	obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
59	obj-$(CONFIG_KEXEC) += kexec.o	60	obj-$(CONFIG_KEXEC) += kexec.o
@@ -130,3 +131,79 @@ quiet_cmd_timeconst = TIMEC $@
130	targets += timeconst.h	131	targets += timeconst.h
131	$(obj)/timeconst.h: $(src)/timeconst.pl FORCE	132	$(obj)/timeconst.h: $(src)/timeconst.pl FORCE
132	$(call if_changed,timeconst)	133	$(call if_changed,timeconst)
		134
		135	ifeq ($(CONFIG_MODULE_SIG),y)
		136	#
		137	# Pull the signing certificate and any extra certificates into the kernel
		138	#
		139	extra_certificates:
		140	touch $@
		141
		142	kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
		143
		144	###############################################################################
		145	#
		146	# If module signing is requested, say by allyesconfig, but a key has not been
		147	# supplied, then one will need to be generated to make sure the build does not
		148	# fail and that the kernel may be used afterwards.
		149	#
		150	###############################################################################
		151	sign_key_with_hash :=
		152	ifeq ($(CONFIG_MODULE_SIG_SHA1),y)
		153	sign_key_with_hash := -sha1
		154	endif
		155	ifeq ($(CONFIG_MODULE_SIG_SHA224),y)
		156	sign_key_with_hash := -sha224
		157	endif
		158	ifeq ($(CONFIG_MODULE_SIG_SHA256),y)
		159	sign_key_with_hash := -sha256
		160	endif
		161	ifeq ($(CONFIG_MODULE_SIG_SHA384),y)
		162	sign_key_with_hash := -sha384
		163	endif
		164	ifeq ($(CONFIG_MODULE_SIG_SHA512),y)
		165	sign_key_with_hash := -sha512
		166	endif
		167	ifeq ($(sign_key_with_hash),)
		168	$(error Could not determine digest type to use from kernel config)
		169	endif
		170
		171	signing_key.priv signing_key.x509: x509.genkey
		172	@echo "###"
		173	@echo "### Now generating an X.509 key pair to be used for signing modules."
		174	@echo "###"
		175	@echo "### If this takes a long time, you might wish to run rngd in the"
		176	@echo "### background to keep the supply of entropy topped up. It"
		177	@echo "### needs to be run as root, and should use a hardware random"
		178	@echo "### number generator if one is available, eg:"
		179	@echo "###"
		180	@echo "### rngd -r /dev/hwrandom"
		181	@echo "###"
		182	openssl req -new -nodes -utf8 $(sign_key_with_hash) -days 36500 -batch \
		183	-x509 -config x509.genkey \
		184	-outform DER -out signing_key.x509 \
		185	-keyout signing_key.priv
		186	@echo "###"
		187	@echo "### Key pair generated."
		188	@echo "###"
		189
		190	x509.genkey:
		191	@echo Generating X.509 key generation config
		192	@echo >x509.genkey "[ req ]"
		193	@echo >>x509.genkey "default_bits = 4096"
		194	@echo >>x509.genkey "distinguished_name = req_distinguished_name"
		195	@echo >>x509.genkey "prompt = no"
		196	@echo >>x509.genkey "string_mask = utf8only"
		197	@echo >>x509.genkey "x509_extensions = myexts"
		198	@echo >>x509.genkey
		199	@echo >>x509.genkey "[ req_distinguished_name ]"
		200	@echo >>x509.genkey "O = Magrathea"
		201	@echo >>x509.genkey "CN = Glacier signing key"
		202	@echo >>x509.genkey "emailAddress = slartibartfast@magrathea.h2g2"
		203	@echo >>x509.genkey
		204	@echo >>x509.genkey "[ myexts ]"
		205	@echo >>x509.genkey "basicConstraints=critical,CA:FALSE"
		206	@echo >>x509.genkey "keyUsage=digitalSignature"
		207	@echo >>x509.genkey "subjectKeyIdentifier=hash"
		208	@echo >>x509.genkey "authorityKeyIdentifier=keyid"
		209	endif